2) nginx.conf文件设置
- server {
- listen 443;
-
- # dns resolver used by forward proxying
- resolver 114.114.114.114;
- # forward proxy for CONNECT request
- proxy_connect;
- proxy_connect_allow 443;
- proxy_connect_connect_timeout 10s;
- proxy_connect_read_timeout 10s;
- proxy_connect_send_timeout 10s;
- # forward proxy for non-CONNECT request
- location / {
- proxy_pass http://$host;
- proxy_set_header Host $host;
- }
- }
行使场景
7层必要通过HTTP CONNECT来成立地道,属于客户端有感知的平凡署理方法,必要在客户端手动设置HTTP(S)署理处事器IP和端口。在客户端用curl 加-x参数会见如下:
- # curl https://www.baidu.com -svo /dev/null -x 39.105.196.164:443
- * About to connect() to proxy 39.105.196.164 port 443 (#0)
- * Trying 39.105.196.164...
- * Connected to 39.105.196.164 (39.105.196.164) port 443 (#0)
- * Establish HTTP proxy tunnel to www.baidu.com:443
- > CONNECT www.baidu.com:443 HTTP/1.1
- > Host: www.baidu.com:443
- > User-Agent: curl/7.29.0
- > Proxy-Connection: Keep-Alive
- >
- < HTTP/1.1 200 Connection Established
- < Proxy-agent: nginx
- <
- * Proxy replied OK to CONNECT request
- * Initializing NSS with certpath: sql:/etc/pki/nssdb
- * CAfile: /etc/pki/tls/certs/ca-bundle.crt
- CApath: none
- * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- * Server certificate:
- * subject: CN=baidu.com,O="Beijing Baidu Netcom Science Technology Co., Ltd",OU=service operation department,L=beijing,ST=beijing,C=CN
- ...
- > GET / HTTP/1.1
- > User-Agent: curl/7.29.0
- > Host: www.baidu.com
- > Accept: */*
- >
- < HTTP/1.1 200 OK
- ...
- { [data not shown]
从上面-v参数打印出的细节,可以看到客户端先往署理处事器39.105.196.164成立了HTTP CONNECT地道,署理回覆HTTP/1.1 200 Connection Established后就开始交互TLS/SSL握手和流量了。
NGINX stream (4层办理方案)
既然是行使透传上层流量的要领,那可不行做成“4层署理”,对TCP/UDP以上的协议实现彻底的透传呢?谜底是可以的。NGINX官方从1.9.0版本开始支持ngx_stream_core_module模块,模块默认不build,必要configure时加上--with-stream选项来开启。
题目
用NGINX stream在TCP层面上署理HTTPS流量必定会碰着本文一开始提到的谁人题目:署理处事器无法获取客户端想要会见的目标域名。由于在TCP的层面获取的信息仅限于IP和端口层面,没有任何机遇拿到域名信息。要拿到目标域名,必必要有拆上层报文获取域名信息的手段,以是NGINX stream的方法不是完全严酷意义上的4层署理,照旧要略微借助些上层手段。
ngx_stream_ssl_preread_module模块
(编辑:河北网)
【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
|